now, ive tried several other NON-VIRTUAL gentoo systems running 2.6.30 or later, with a more recent version of iptables - and this rule is executed without error.

ive checked man, the pkttype module is in the documentation, and it doesnt seem to be a syntax problem (if anyone knows, please post!), and its not possible to load the "xt_pkttype" iptables module. ive been trying to figure out exactly what the problem is, this is what ive come up with so far.

the "xt_pkttype" module is not enabled in the kernel config.

the "xt_pkttype" module was not fully implemented in that kernel version.

out of habit, iptables was one of the first things i installed when i first got the virutal gentoo box. as a result, my iptables command sets are likely clobbered. after speaking with a contact, the default for this kernel version is net-firewall/iptables-1.4.3.2. ive rolled the version back, but still no joy.

since gentoo is a source distribution, and not binary, you can upgrade the iptables version to take advantage of new features, and squashed bugs - but in this case, since the iptables modules are built into the kernel itself, no upgrades are possible.

is there any possibility of getting a gentoo kernel with the iptables sources built as modules and not right into the kernel binary?

Just commenting that I have observed this behaviour as well. My best guess is that the kernel as provided lacks the required module to support this type of traffic classification... I am also interested in having this fixed. Whether the module is built into the kernel or can be dynamically loaded doesn't matter so much to me, but it would be nice to have either way.

sorry, crazy busy. i hassled support about it. here is the response from yesterday.

VPSVille Support

xt_pkttype
is not enabled in the virtual kernel, and hasn't been virtualized yet.
Its enabled on the hardware node already so if you can't see it, its
not going to work inside a VPS.

that said, theres still the issue of net-firewall/iptables coming in and clobbering thing during an 'emerge world'. the only way around that is to mask them in /etc/portage/package.mask -- but then you are stuck with an older version of iptables (no bugfixes, no new features).

going to ask about other modules that would be treated in this manner as well.

Other modules may or may not be usable, depending on whether they have been virtualized yet. But the above ones will work for sure.

note the last comment that its NOT an exhaustive list.

it does seem to be quite a few LESS than my home file server running 2.6.31-gentoo-r10 kernel on my file server here at home. granted, there have been quite a few kernel revisions and quite a few changes to iptables between the two kernels.